Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-3CM5-WPG3-V928

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:17
VLAI
Details

Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect Access Control. The impact is: Potential for unathorised access to data. The component is: Incorrect calls to _ensure_auth() wrapper result in authentication-checking not being applied to al routes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1010084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect Access Control. The impact is: Potential for unathorised access to data. The component is: Incorrect calls to _ensure_auth() wrapper result in authentication-checking not being applied to al routes.",
  "id": "GHSA-3cm5-wpg3-v928",
  "modified": "2024-04-04T01:17:18Z",
  "published": "2022-05-24T16:50:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010084"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bigpresh/Dancer-Plugin-SimpleCRUD/pull/109"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CP5-CFV6-4X6R

Vulnerability from github – Published: 2024-06-03 21:30 – Updated: 2024-08-01 15:31
VLAI
Details

Incorrect access control in the fingerprint authentication mechanism of Phone Cleaner: Boost & Clean v2.2.0 allows attackers to bypass fingerprint authentication due to the use of a deprecated API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-03T20:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect access control in the fingerprint authentication mechanism of Phone Cleaner: Boost \u0026 Clean v2.2.0 allows attackers to bypass fingerprint authentication due to the use of a deprecated API.",
  "id": "GHSA-3cp5-cfv6-4x6r",
  "modified": "2024-08-01T15:31:46Z",
  "published": "2024-06-03T21:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31682"
    },
    {
      "type": "WEB",
      "url": "https://zzzxiin.github.io/post/phone-cleaner"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CR4-WH42-GQ3C

Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-04-04 05:46
VLAI
Details

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-24T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.\u00a0\n\n",
  "id": "GHSA-3cr4-wh42-gq3c",
  "modified": "2024-04-04T05:46:19Z",
  "published": "2023-07-06T21:15:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1158"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/14456024873741-IMPORTANT-Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2023-1158-"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CR6-X963-CVM9

Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:30
VLAI
Details

Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so.
This bug only affects Firefox for Android. Other versions of Firefox are unaffected.. This vulnerability affects Firefox < 111.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-02T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. \u003cbr\u003e*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox \u003c 111.",
  "id": "GHSA-3cr6-x963-cvm9",
  "modified": "2024-04-04T04:30:18Z",
  "published": "2023-06-02T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25749"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1810705"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CVF-FPQ3-C29M

Vulnerability from github – Published: 2023-04-11 21:31 – Updated: 2025-02-11 18:31
VLAI
Details

Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration.",
  "id": "GHSA-3cvf-fpq3-c29m",
  "modified": "2025-02-11T18:31:11Z",
  "published": "2023-04-11T21:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25415"
    },
    {
      "type": "WEB",
      "url": "https://www.pentagrid.ch/en/blog/multiple-vulnerabilities-in-aten-PE8108-power-distribution-unit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CW5-7CXW-V5QG

Vulnerability from github – Published: 2023-02-01 01:37 – Updated: 2023-02-01 01:37
VLAI
Summary
Dompdf vulnerable to URI validation failure on SVG parsing
Details

Summary

The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper.

Details

The bug occurs during SVG parsing of <image> tags, in src/Image/Cache.php :

if ($type === "svg") {
    $parser = xml_parser_create("utf-8");
    xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
    xml_set_element_handler(
        $parser,
        function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
            if ($name === "image") {
                $attributes = array_change_key_case($attributes, CASE_LOWER);

This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass :

<svg>
    <Image xlink:href="phar:///foo"></Image>
</svg>

As the tag is named "Image" and not "image", it will not pass the condition to trigger the check.

A correct solution would be to strtolower the $name before the check :

if (strtolower($name) === "image") {

PoC

Parsing the following SVG file is sufficient to reproduce the vulnerability :

<svg>
    <Image xlink:href="phar:///foo"></Image>
</svg>

Impact

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dompdf/dompdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-551",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-01T01:37:56Z",
    "nvd_published_at": "2023-02-01T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper.\n\n### Details\nThe bug occurs during SVG parsing of `\u003cimage\u003e` tags, in src/Image/Cache.php : \n\n```\nif ($type === \"svg\") {\n    $parser = xml_parser_create(\"utf-8\");\n    xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\n    xml_set_element_handler(\n        $parser,\n        function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n            if ($name === \"image\") {\n                $attributes = array_change_key_case($attributes, CASE_LOWER);\n```\nThis part will try to detect `\u003cimage\u003e` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with \"image\" is case sensitive, which means that such a tag in the SVG will pass : \n\n```\n\u003csvg\u003e\n    \u003cImage xlink:href=\"phar:///foo\"\u003e\u003c/Image\u003e\n\u003c/svg\u003e\n```\n\nAs the tag is named \"Image\" and not \"image\", it will not pass the condition to trigger the check.\n\nA correct solution would be to strtolower the `$name` before the check : \n\n```\nif (strtolower($name) === \"image\") {\n```\n\n### PoC\nParsing the following SVG file is sufficient to reproduce the vulnerability :\n\n```\n\u003csvg\u003e\n    \u003cImage xlink:href=\"phar:///foo\"\u003e\u003c/Image\u003e\n\u003c/svg\u003e\n```\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.\n",
  "id": "GHSA-3cw5-7cxw-v5qg",
  "modified": "2023-02-01T01:37:56Z",
  "published": "2023-02-01T01:37:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-23924.yaml"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-3cw5-7cxw-v5qg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dompdf/dompdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dompdf vulnerable to URI validation failure on SVG parsing"
}

GHSA-3F29-PQWF-V4J4

Vulnerability from github – Published: 2026-05-05 21:26 – Updated: 2026-05-13 13:52
VLAI
Summary
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
Details

Summary

Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches (notably in v1.8.0-beta.27/28) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.

A low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.

Affected version

Grav CMS: v1.8.0-beta.29 (and earlier 1.8.x beta versions).

Note: This vulnerability persists even after the vendor attempted to mitigate similar SSTI vectors in earlier beta releases.

Steps to Reproduce

  1. Create a low-privileged account (MY CASE IS 'editor_chen') with permissions limited to admin.login and basic page management (create, update, list). Ensure all administrative permissions (Configuration, User Accounts, ...) are explicitly Denied.

  2. Login to the Admin panel using editor_chen. Navigate to Pages and edit the Home page.

  3. Under the Advanced tab, ensure Process Twig is enabled .

  4. In the Content tab, inject the following Twig payload designed to bypass the isDangerousFunction filter by accessing the internal service container:

---
title: Information Disclosure Test
process:
    twig: true
---
# Security Audit Results
- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed_password') }}
- Security Salt: {{ grav.config.get('security.salt') }}

GRAV

  1. Click Save. And navigate to the public page (http://localhost:8000/home). Page will render and display the administrator's Bcrypt hash and the system security salt. GRAV2

PoC

---
title: Information Disclosure Test
process:
    twig: true
---
# Security Audit Results
- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed_password') }}
- Security Salt: {{ grav.config.get('security.salt') }}

Impact

Attackers can obtain the password hashes of all registered users, including Super Administrators.

Extracted hashes can be subjected to offline brute-force or dictionary attacks (EX: USE Hashcat)

Video

Pls refer to the attached video


Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit d904efc33 — will ship in 2.0.0-beta.2.

What changed: the HMAC key formerly stored as security.salt in user/config/security.yaml has moved out of the Config tree into user/config/security-private.php. On upgrade, the existing salt value is migrated into the new file on first request (preserving CSRF nonces and sessions) and the key is scrubbed from both the live Config object and the on-disk YAML — so {{ grav.config.get('security.salt') }} from a sandboxed Twig template now returns null. The .php extension is blocked from web access by the default user/*.php htaccess rule; the file contains only a return statement, so direct PHP exec produces no output either.

The PoC's password-hash half (grav['accounts'].load('admin').get('hashed_password')) was already covered by the new Twig content sandbox in 2.0.0-beta.2 — UserCollection::load is not in the sandbox allowlist — see the separate GHSA-58hj-46fw-rcfm advisory.

Files: - system/src/Grav/Common/Security.php — new Security::getNonceKey() + migration. - system/src/Grav/Common/Utils.phpgenerateNonceString now uses the new key. - system/src/Grav/Common/Service/SessionServiceProvider.php. - system/src/Grav/Common/Config/Setup.php — removed auto-gen of security.salt. - system/config/security.yaml — removed placeholder salt:. - tests/unit/Grav/Common/Security/NonceKeySecurityTest.php — migration + generation coverage.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:26:45Z",
    "nvd_published_at": "2026-05-11T16:17:33Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nInformation disclosure exists in `Grav CMS v1.8.0-beta.29`. Despite previous security patches (notably in `v1.8.0-beta.27/28`) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.\n\nA low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the `grav[\u0027accounts\u0027]` service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.\n\n## Affected version\nGrav CMS: `v1.8.0-beta.29` (and earlier 1.8.x beta versions).\n\nNote: This vulnerability persists even after the vendor attempted to mitigate similar SSTI vectors in earlier beta releases.\n\n## Steps to Reproduce\n1. Create a low-privileged account (MY CASE IS \u0027editor_chen\u0027) with permissions limited to admin.login and basic page management (create, update, list). Ensure all administrative permissions (Configuration, User Accounts, ...) are explicitly Denied.\n\n2. Login to the Admin panel using  `editor_chen`. Navigate to Pages and edit the `Home` page.\n\n\n3. Under the Advanced tab, ensure Process Twig is enabled .\n\n4. In the Content tab, inject the following Twig payload designed to bypass the `isDangerousFunction` filter by accessing the internal service container:\n```\n---\ntitle: Information Disclosure Test\nprocess:\n    twig: true\n---\n# Security Audit Results\n- Admin Password Hash: {{ grav[\u0027accounts\u0027].load(\u0027admin\u0027).get(\u0027hashed_password\u0027) }}\n- Security Salt: {{ grav.config.get(\u0027security.salt\u0027) }}\n```\n\u003cimg width=\"1176\" height=\"618\" alt=\"GRAV\" src=\"https://github.com/user-attachments/assets/7970216a-2dc6-4d1b-8dfd-b64f3712c9c5\" /\u003e\n\n\n5. Click Save. And navigate to the public page (`http://localhost:8000/home`). Page will render and display the administrator\u0027s Bcrypt hash and the system security salt.\n\u003cimg width=\"1278\" height=\"462\" alt=\"GRAV2\" src=\"https://github.com/user-attachments/assets/33b7b894-6ae3-4d29-bd2d-8004e9b343e0\" /\u003e\n\n\n\n\n\n\n\n## PoC\n```\n---\ntitle: Information Disclosure Test\nprocess:\n    twig: true\n---\n# Security Audit Results\n- Admin Password Hash: {{ grav[\u0027accounts\u0027].load(\u0027admin\u0027).get(\u0027hashed_password\u0027) }}\n- Security Salt: {{ grav.config.get(\u0027security.salt\u0027) }}\n```\n\n## Impact\nAttackers can obtain the password hashes of all registered users, including Super Administrators.\n\nExtracted hashes can be subjected to offline brute-force or dictionary attacks (EX: USE Hashcat)\n\n## Video\nPls refer to the attached video\n\u003cvideo src=\"https://github.com/user-attachments/assets/74d5ae41-7911-4099-b2cc-e6c51b27c68c\" controls=\"controls\" style=\"max-width: 100%;\"\u003e\n\u003c/video\u003e\n\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`d904efc33`](https://github.com/getgrav/grav/commit/d904efc33) \u2014 will ship in **2.0.0-beta.2**.\n\n**What changed:** the HMAC key formerly stored as `security.salt` in `user/config/security.yaml` has moved **out of the Config tree** into `user/config/security-private.php`. On upgrade, the existing salt value is migrated into the new file on first request (preserving CSRF nonces and sessions) and the key is scrubbed from both the live `Config` object and the on-disk YAML \u2014 so `{{ grav.config.get(\u0027security.salt\u0027) }}` from a sandboxed Twig template now returns null. The `.php` extension is blocked from web access by the default `user/*.php` htaccess rule; the file contains only a `return` statement, so direct PHP exec produces no output either.\n\nThe PoC\u0027s password-hash half (`grav[\u0027accounts\u0027].load(\u0027admin\u0027).get(\u0027hashed_password\u0027)`) was already covered by the new Twig content sandbox in 2.0.0-beta.2 \u2014 `UserCollection::load` is not in the sandbox allowlist \u2014 see the separate GHSA-58hj-46fw-rcfm advisory.\n\n**Files:**\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) \u2014 new `Security::getNonceKey()` + migration.\n- [`system/src/Grav/Common/Utils.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Utils.php) \u2014 `generateNonceString` now uses the new key.\n- [`system/src/Grav/Common/Service/SessionServiceProvider.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Service/SessionServiceProvider.php).\n- [`system/src/Grav/Common/Config/Setup.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Config/Setup.php) \u2014 removed auto-gen of `security.salt`.\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) \u2014 removed placeholder `salt:`.\n- [`tests/unit/Grav/Common/Security/NonceKeySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/NonceKeySecurityTest.php) \u2014 migration + generation coverage.",
  "id": "GHSA-3f29-pqwf-v4j4",
  "modified": "2026-05-13T13:52:19Z",
  "published": "2026-05-05T21:26:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42610"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass"
}

GHSA-3F33-44XM-29M7

Vulnerability from github – Published: 2026-02-12 09:30 – Updated: 2026-02-27 15:34
VLAI
Details

Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

This did not leak any annotations that would not otherwise be visible on the public dashboard.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T09:16:08Z",
    "severity": "MODERATE"
  },
  "details": "Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.\n\nThis did not leak any annotations that would not otherwise be visible on the public dashboard.",
  "id": "GHSA-3f33-44xm-29m7",
  "modified": "2026-02-27T15:34:11Z",
  "published": "2026-02-12T09:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21722"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/security/security-advisories/CVE-2026-21722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3F6G-M4HR-59H8

Vulnerability from github – Published: 2024-08-09 21:23 – Updated: 2024-08-14 17:18
VLAI
Summary
OpenFGA Authorization Bypass
Details

Overview

OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses but not and from expressions and a userset.

Fix

  • If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possible
  • If using Helm chart, upgrade to 0.2.12 as soon as possible.

This fix is backward compatible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.7"
            },
            {
              "fixed": "1.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-09T21:23:26Z",
    "nvd_published_at": "2024-08-12T13:38:35Z",
    "severity": "HIGH"
  },
  "details": "## Overview\n\nOpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a userset. \n\n## Fix\n\n- If you are using OpenFGA within Docker or as a Go library, as a binary, or through Docker, upgrade to v1.5.9 as soon as possible\n- If using Helm chart, upgrade to 0.2.12 as soon as possible. \n\nThis fix is backward compatible.",
  "id": "GHSA-3f6g-m4hr-59h8",
  "modified": "2024-08-14T17:18:24Z",
  "published": "2024-08-09T21:23:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-3f6g-m4hr-59h8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42473"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenFGA Authorization Bypass"
}

GHSA-3F9V-226V-2QC9

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.

A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-22T19:17:04Z",
    "severity": "HIGH"
  },
  "details": "The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.\n\nA local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.",
  "id": "GHSA-3f9v-226v-2qc9",
  "modified": "2026-05-26T13:30:20Z",
  "published": "2026-05-26T13:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6406"
    },
    {
      "type": "WEB",
      "url": "https://docs.docker.com/desktop/release-notes/#4590"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-299"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.